Bounty

How is everyone finding where the file is uploaded? Is anyone willing to PM me with a nudge in the right direction? Please. I can’t figure out where my uploads are going. THX

Got RCE, having trouble moving files over to the Windows machine.

Anyone to PM?

I know which file extension is able to bypass the check and I have basic rce but I have no idea how to execute system commands. I always get a “500 - Internal server error”. Can someone pm me?

Edit: I still can’t verify rce, I can verify an image file upload. But none of the pOc’s I’ve tried have worked for rce. I’m trying more than one method, but neither work. I either get the 500 error when trying th we*****ig or cannot be displayed with the other method.
Is anyone here willing to give a little help via PM? I’m really stuck here, I’m to the point I’m not making any progress

ok am lost here… been banging away at this box for way to long. I know where to upload. I have tried various webshells and RCEs but nothing. everytime i browse to upload directory, it either a 500 or 404… really need and clue

@aelric said:
ok am lost here… been banging away at this box for way to long. I know where to upload. I have tried various webshells and RCEs but nothing. everytime i browse to upload directory, it either a 500 or 404… really need and clue

Same here. I’ve tried every combination of public pOc, and have added numerous variants of code myself. And all I get is the 500 error code at first, then after 30 seconds get the 400.
I’ve went over the pOc line by line, and changed little things while trying each time with the same outcome (500 error). I’ve used pOc from payloadallthethings, and tried it with so many different alternatives that I’ve lost count. I can’t understand how so many people got rce so easily, while I can’t even get the slightest sign of rce.
Anyone willing to help at all. Please PM!!

So I got RCE… all I can do is get it to ping me though. Any kind of output results in a 500 error… can anyone help? PM me if you need help getting to where I am… which is slightly short of getting user (and maybe we can help each other!)

If you think you have RCE, how about pinging yourself and watching for the traffic with wireshark?

finally user and a stable shell (if people dont reboot the server)… now to priv esc??

Rooted today. Fun ride and lessons learnt on this one. Be aware of architecture!

Rooted after one month. And the reason for that is simply lack of knowledge and experience.
So if you you cannot get user/root - try harder and learn more. Take a break (I did four or five different boxes meanwhile).
Read the tutorials for the exploiting Windows, in the end you find out that this box is not the rocket science.

BTW I can see on the “Page info” of the web this:
Have I visited this website prior to today? Yes, 1 491 times :wink:

So be patient and GL, I go for beer…or three:)

@AgentTiro said:
If you think you have RCE, how about pinging yourself and watching for the traffic with wireshark?

yeah was able to ping myself… got something wrong with the coding and ended up getting the text to display. Got user! Working on RCE now…

Got a wShell to do RCE with, but cannot find user for the life of me, have gone up and down all these directories. Can anyone give me a tip?

Need some advice getting initial foothold. Think i have the URL but not sure… Please PM me.

Can somebody PM me with some help on the parameters for RCE? I’ve got the right file extension and am uploading what I assume to be the right file but keep getting 500 errors.

got root !

PM if needed

also finally got root… pm if you need a nudge. this box was verrrrry touchy with the commands… things would just stop working if I missed a single quote, etc.

Spoiler Removed - Arrexel

I cannot even get a user on this. I already have wasted 5 days, and I have not get the user flag yet. Reading the posts from this topic, I understand that I have to find a secret page that will help me upload my payload. I tried with wfuzz and dirbuster all the wordlists regarding asp.net that I could find, but so far I could not get access. Any hint ?